Earlier today, Reuters published an article which suggests that Yahoo has been automatically scanning all of its users’ incoming emails at behest of a government agency. This began in 2015, and its unclear if it is still occurring. The report was based on the claims of two former Yahoo employees and a third source familiar with the matter. All three sources declined to be identified in the article. The sources say that the scanning was done at the request of either the FBI or the NSA, but its not known which agency is responsible.
According to the sources, Yahoo complied with the government directive to search for a series of characters, most likely a word or phrase. However, the sources did not say what the characters were. In order to accomplish this task, the company wrote custom software to automatically search all emails and attachments. Although companies have frequently handed over data to government agencies, surveillance experts consider Yahoo’s actions to be unprecedented. This is the first known case of continuous real-time surveillance targeting hundreds of millions of email accounts, as opposed to searching through stored data or real-time monitoring of a few accounts. This is also the first known case of an email provider writing custom software to help the government spy on its own users.
Albert Gidari, a lawyer with 20 years of experience representing Internet and phone companies in surveillance cases remarked, “I’ve never seen that, a wiretap in real time on a ‘selector.’ It would be really difficult for a provider to do that.” According to Reuters, “A selector refers to a type of search term used to zero in on specific information.”
Although Yahoo is the first company implicated in this sort of surveillance, it is likely that surveillance agencies have made similar requests of other companies. However, it is unknown if any of them have accepted the requests or implemented measures similar to Yahoo. Major email providers Google and Microsoft have not responded to requests for comment.
The government directive behind this surveillance is supported by the Foreign Intelligence Surveillance Act(FISA). Legal experts are split on whether or not Yahoo could have successfully challenged the request. Some experts say the request was too broad and writing custom software to carry it out was an undue burden on Yahoo. Other experts believe the request is in accordance with existing precedent. The sources state that Yahoo executives decided not to challenge the request because they believed they would lose. In 2007, the company challenged a FISA request to search specific accounts without a warrant. The details of the case remain secret, but a redacted ruling was published which shows Yahoo’s challenge was unsuccessful.
The sources also claim that surveillance caused internal strife within the company. The program to scan the emails was discovered by Yahoo’s security team in May 2015, within weeks of its installation. The team thought it was the work of hackers who broke into the system. Chief Information Security Officer Alex Stamos was shocked when he found out that Yahoo CEO Marissa Mayer had authorized the program without informing or involving the security team. This allegedly led to Stamos’s departure from the company in June. Stamos is reported to have told subordinates that Yahoo put customers’ security at risk, and that a programming flaw in the scanning program could have allowed hackers to access those emails. However, Stamos has not publicly commented on this matter or made any comment criticizing Yahoo since his departure.
When contacted by Reuters on this matter, the company stated, “Yahoo is a law abiding company, and complies with the laws of the United States.” The company declined to comment further. However, the report suggests Yahoo was scanning the emails of all its users including those outside of the U.S. This may put it at odds with countries, particularly in Europe, which have data protection laws governing how tech companies handle their citizens’ personal data. We have reached out to the company for comment, and will update with any new information. The NSA referred any requests for comment to the Director of National Intelligence, who declined to comment.
If the report is true, should Yahoo have fought the request to search all incoming emails? Leave your comments below.